add support for multiple audiences as described in RFC 7519

Author: mdarii

jws/jws.go

@@ -32,12 +32,12 @@ import (
 // permissions being requested (scopes), the target of the token, the issuer,
 // the time the token was issued, and the lifetime of the token.
 type ClaimSet struct {
-	Iss   string `json:"iss"`             // email address of the client_id of the application making the access token request
-	Scope string `json:"scope,omitempty"` // space-delimited list of the permissions the application requests
-	Aud   string `json:"aud"`             // descriptor of the intended target of the assertion (Optional).
-	Exp   int64  `json:"exp"`             // the expiration time of the assertion (seconds since Unix epoch)
-	Iat   int64  `json:"iat"`             // the time the assertion was issued (seconds since Unix epoch)
-	Typ   string `json:"typ,omitempty"`   // token type (Optional).
+	Iss   string      `json:"iss"`             // email address of the client_id of the application making the access token request
+	Scope string      `json:"scope,omitempty"` // space-delimited list of the permissions the application requests
+	Aud   interface{} `json:"aud"`             // descriptor of the intended target of the assertion. Can be string or []string per RFC 7519.
+	Exp   int64       `json:"exp"`             // the expiration time of the assertion (seconds since Unix epoch)
+	Iat   int64       `json:"iat"`             // the time the assertion was issued (seconds since Unix epoch)
+	Typ   string      `json:"typ,omitempty"`   // token type (Optional).
 
 	// Email for which the application is requesting delegated access (Optional).
 	Sub string `json:"sub,omitempty"`

jwt/jwt.go

@@ -64,8 +64,16 @@ type Config struct {
 	// Audience optionally specifies the intended audience of the
 	// request.  If empty, the value of TokenURL is used as the
 	// intended audience.
+	// Deprecated: Use Audiences for multiple audiences or for RFC 7519 compliance.
 	Audience string
 
+	// Audiences optionally specifies the intended audiences of the
+	// request as a slice of strings. This field takes precedence over
+	// Audience if both are set. If empty, Audience or TokenURL is used.
+	// Per RFC 7519, when there's a single audience, it will be serialized
+	// as a string; when there are multiple audiences, as an array.
+	Audiences []string
+
 	// PrivateClaims optionally specifies custom private claims in the JWT.
 	// See http://tools.ietf.org/html/draft-jones-json-web-token-10#section-4.3
 	PrivateClaims map[string]any
@@ -117,9 +125,22 @@ func (js jwtSource) Token() (*oauth2.Token, error) {
 	if t := js.conf.Expires; t > 0 {
 		claimSet.Exp = time.Now().Add(t).Unix()
 	}
-	if aud := js.conf.Audience; aud != "" {
+
+	// Handle audience per RFC 7519: single string or array of strings
+	if len(js.conf.Audiences) > 0 {
+		// Use new Audiences field (takes precedence)
+		if len(js.conf.Audiences) == 1 {
+			// Single audience: use string per RFC 7519
+			claimSet.Aud = js.conf.Audiences[0]
+		} else {
+			// Multiple audiences: use array per RFC 7519
+			claimSet.Aud = js.conf.Audiences
+		}
+	} else if aud := js.conf.Audience; aud != "" {
+		// Use legacy Audience field for backward compatibility
 		claimSet.Aud = aud
 	}
+	// If neither is set, Aud remains as TokenURL (set above)
 	h := *defaultHeader
 	h.KeyID = js.conf.PrivateKeyID
 	payload, err := jws.Encode(&h, claimSet, pk)

jwt/jwt_test.go

@@ -232,6 +232,20 @@ func TestJWTFetch_AssertionPayload(t *testing.T) {
 				"private1": "claim1",
 			},
 		},
+		{
+			Email:        "aaa3@xxx.com",
+			PrivateKey:   dummyPrivateKey,
+			PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+			TokenURL:     ts.URL,
+			Audiences:    []string{"https://api.example.com"},
+		},
+		{
+			Email:        "aaa4@xxx.com",
+			PrivateKey:   dummyPrivateKey,
+			PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+			TokenURL:     ts.URL,
+			Audiences:    []string{"https://api.example.com", "https://other.example.com"},
+		},
 	} {
 		t.Run(conf.Email, func(t *testing.T) {
 			_, err := conf.TokenSource(context.Background()).Token()
@@ -259,13 +273,27 @@ func TestJWTFetch_AssertionPayload(t *testing.T) {
 			// Scope should NOT be in the JWT claim set according to RFC 7521
 			if claimSet.Scope != "" {
 				t.Errorf("payload scope should be empty but got %q; scopes should be sent as request parameter", claimSet.Scope)
+			} // Check audience handling per RFC 7519
+			var expectedAud interface{}
+			if len(conf.Audiences) > 0 {
+				if len(conf.Audiences) == 1 {
+					expectedAud = conf.Audiences[0]
+				} else {
+					// When JSON unmarshals an array, it becomes []interface{}
+					expectedAudSlice := make([]interface{}, len(conf.Audiences))
+					for i, aud := range conf.Audiences {
+						expectedAudSlice[i] = aud
+					}
+					expectedAud = expectedAudSlice
+				}
+			} else if conf.Audience != "" {
+				expectedAud = conf.Audience
+			} else {
+				expectedAud = conf.TokenURL
 			}
-			aud := conf.TokenURL
-			if conf.Audience != "" {
-				aud = conf.Audience
-			}
-			if got, want := claimSet.Aud, aud; got != want {
-				t.Errorf("payload audience = %q; want %q", got, want)
+
+			if !reflect.DeepEqual(claimSet.Aud, expectedAud) {
+				t.Errorf("payload audience = %v (type %T); want %v (type %T)", claimSet.Aud, claimSet.Aud, expectedAud, expectedAud)
 			}
 			if got, want := claimSet.Sub, conf.Subject; got != want {
 				t.Errorf("payload subject = %q; want %q", got, want)